Integration of ERM into a Corporate Environment

Posted April 7, 2014 by riskviews
Categories: Enterprise Risk Management


By Max J. Rudolph, FSA CFA CERA MAAA

This is an excerpt from a paper that was submitted to the North American CRO Council 2013 Call for Papers on October 11, 2013.


Enterprise risk management can be an exercise in adding value or simply another in a long list of buzz words popular with directors, investors and rating agencies. It may even be seen as a roadblock and interventionist tool by company management. An appropriate balance must be maintained. What is the right mix of constraints versus growth, qualitative versus quantitative analysis, and short versus long time horizons? These are all questions that the successful ERM process must resolve to build transparency around all risks and build firm resilience.


Company resources are tight, and ERM is viewed by some simply as a cost. In the annual Survey of Emerging Risks that I author we continually find more being asked of risk managers, but without commensurate resources being added. Risk culture is the driver here. Where risk is embedded in a firm, both top-down and bottom-up, it is recognized that better decisions are made by considering all types of risks.


Unfortunately many Risk Departments are set up to fail by focusing entirely on constraints, being able to stop a project but not being viewed as a partner who understands how risks aggregate and interact to increase returns. The prior reputation of the risk team predetermines its success, and this is driven from the top. If senior management involves the risk team early in new product development, for example, they are able to suggest adjustments that may lead to a more stable product or provide an internal hedge against a product sold in another part of the company. If the CEO (Chief Executive Officer) views the risk team as a cost center then they will not be successful.


Organizational Structure

Each company must integrate the risk team into an existing organizational chart based on the underlying risk culture. At some companies the primary risks, typically at manufacturing or service focused firms, can be covered by insurance. The Chief Risk Officer (CRO) becomes a coordinator who seeks out competitive rates and coordinates insurer expertise with in-house risk mitigation. In this situation the CRO might report to the Chief Financial Officer (CFO) or Treasurer and be a low level officer or high level manager. The position rarely gets involved in strategic planning discussions and reports to the board are generally canned and informational, covering tactical plans and recent results. Key risk indicators typically provide lagging data.


Small firms will likely add the CRO duties, and sometimes the title, to the CFO as he is the primary provider of oversight at such firms. Reports to the board are part of normal financial disclosures and can incorporate strategic topics. Key risk indicators provide lagging information but can incorporate leading indicators as well.

Many larger financial firms, with higher levels of financial risk relative to operational risk, have a CRO position that reports to the board, with a dotted line to someone on the senior management team. This position often focuses on data collection and board presentations designed mostly to make the board able to say they have considered risks, or they can be a key management team member that engages the board to understand how the firm’s risk profile is evolving and the potential implications. Done right the focus is on leading risk indicators and brainstorming between areas. This has added benefits of oversight and succession planning.


Unfortunately, many firms rely primarily on quantitative data collected from experts in the business units rather than filling the risk team with business experts and experienced practitioners who can qualitatively question specific practices before they get out of control.


Large firms have an additional hurdle as they tend to be bureaucracies, and those who rise through the ranks have often avoided stressful challenges rather than acting as providers of useful contrarian advice. A small firm may have better risk management practices because the CRO has business experience that drives qualitative analysis rather than an overreliance on quantitative models. The largest companies tend to fall into a trap where complex models are developed and the shortcomings of those models are ignored or included in small print as a footnote. While quantitative analysis is important, everything that counts can’t be counted.

Best practice org chart: firms that want to improve their decision making should segment their risk management team between data collectors, where a consistent ERM process is developed and implemented, and strategic planning. The CRO should manage the planning process, making sure that consistent assumptions and models are input to consistent models. Interactions between areas, transparency and concentration risk should be considered. This position should report directly to the CEO, and perhaps not to the board, and be the primary source of common sense oversight to the management team. This natural skeptic must be protected politically by the CEO or it won’t work. Interestingly, this role could be filled externally by a consultant who provides honest feedback. Many firms will place employees with this type of expertise in senior management roles running a line or as CFO.

©2013 Rudolph Financial Consulting, LLC

The remainder of this essay is available here.

CRO’s Talk @ #ICA2014

Posted April 3, 2014 by riskviews
Categories: Enterprise Risk Management



Notes from two sessions:

Top Risks:

  • Market Risk
  • Operational Risk
  • Credit Risk – Spread + Default
  • Longevity
  • Regulation – Multiple and conflicting requirements from Local, Regional and International regulators
  • Regulations – constantly changing
  • Prolonged Low interest Rates

What are Insurers doing in response to top risks:

  • Hedging
  • Not getting paid for all risks that they take
  • CRO acts as buffer for regulatory risk – best response is regular discussions with regulator

Senior Management buy in is most important for CRO and success of ERM

Need a diverse ERM team

Risk management folks in Business Units are an important source of information about what is going on

Three lines of defense:  BU risk taking are primarily responsible, RM provides risk measurement and risk policies, Audit provides assurance of compliance with policies and limits

CRO is part of value creation chain.  But needs to avoid any conflicts of interest

One CRO has his own model, does not depend on business unit model.

With multiple models that is a risk of spending too much analytical time on cross model validation and not enough using model

Need to pay attention to PV of future benefits of current plans

Look at scenarios that are not in the models

Focus should be on the really key parameters for the risks that have a real impact on the balance sheet

Almost impossible to get interdependency correct

ORSA requirements mean that one company that had been doing internal solvency assessment for over 10 years must increase efforts and especially documentation

CRO is the Face of the ERM program to internal and external audiences

CRO must engage with BU leaders as an equal in the organization

CRO heads the Risk and Control Committee

Primary function of Risk function is challenge and oversight

CRO leads a full day ERM meeting with the board once per year

ORSA sign-off is new board role – focuses attention (Bermuda)

Board engagement depends on good communication about risk – not too technical

New board members get risk education session – had been only for new members of risk committee, but other board members complained and insisted

First time for public risk and risk management disclosures.  Highly concerned about interpretation and questions from various audiences

Regulation is having too much influence on Risk Management priorities – using up the RM budget and resources with things that would not otherwise be a priority to the company

But regulatory focus means higher priority and notice of RM in company

Regulators may be going overboard with local capital requirements resulting in stranded capital for some groups, reducing the value of diversification and increasing the cost of insurance

One group has model for regulatory report that does not necessarily fit with local requirements – CRO must resolve

CRO does not want to be DR. NO – RM should be adviser to business

Strategy advisor – managing a portfolio of risks – Risk Tolerances tied to Risk limits based upon capital budgeting concerns

CRO contribution to risk controlling – making the mitigation more effective or less costly

Explaining risk culture – why does the company have limits and do risk mitigation

Top Challenges:

  • Staying on top of constantly changing regulatory changes
  • Internal positioning of Risk – not the technocrats of risk
  • State of Flux of everything – lots of changes – rules still evolving – need to help company to navigate
  • Establishing and maintaining role of CRO as strategic advisor
  • Turnover of top management – making sure new managers are up to speed with risk management framework
  • Risk culture – what the employees do when no on is looking.  Getting everyone to make the same sorts of choices
  • How to get risk function involved in supporting corporate goals
  • Group risk policy much too detailed.  Risk principles may conflict with detailed policies.

CRO must be willing to Fall on their sword.  That is just part of the job.  Must be willing to challenge when things are not right.  Actuarial standards are good support for this.

Lots more.  Get the recordings when they are available.




Attributes of Unsuccessful Companies

Posted March 26, 2014 by riskviews
Categories: People Risk


from Mike Cohen

(whether they have gone out of business or have underperformed)

1) Goals (most importantly financial) have not been clearly identified or calibrated, with a number of damaging consequences:

  • It is not clear whether strategies being pursued will lead to the company achieving desired results
  • Companies may not be able to quantify and qualify the potential impact of the risks they are taking relative to the goals they are trying to accomplish (Many firms!)
  • The goals may not be realistic, and the company could be stretching beyond its capabilities and risk tolerance to attempt to achieve those goals (possibly becoming desperate)

2) Company does not have the necessary expertise or reputation to operate successfully in its chosen lines, for various reasons:

  • Leading competitors have set standards that are not attainable by the company (Many firms, for example those pursuing the ‘Financial services supermarket’ model)
  • Smaller companies seeking to compete ‘toe-to-toe’ with larger companies as opposed to executing niche strategies in segments the larger firms are not interested in
  • Core competencies aren’t sufficiently robust (Many firms!)
  • Competitive advantages are overstated (Many firms!)

3) Not accurately understanding the customer (product pushers are particularly susceptible)

  • Being out of touch with current trends, needs, wants, attitudes, demographics
  • Customers may not know what they want, exacerbating the problem (Steve Jobs’ theory, executed extremely successfully at Apple!). Following on this thought, can focus groups provide accurate, actionable input? The quip about ‘quality’ also comes to mind: “I can’t define quality, but I’ll know it when I see it”

4) Product performance is materially poorer than projected

  • Pricing assumptions are missed, leading to lower margins or necessitating reserve strengthening
  • Product features cause benefits to be paid that are much greater than anticipated (Variable annuities)
  • Product guarantees are not effectively hedged (Again, variable annuities)

5) Risk management practices do not adequately address the company’s most important potential exposures, leading to:

  • Taking risks that do not have commensurate returns
  • Pursuing strategies or entering into transactions that have not been exhaustively vetted
  • Inaccurately calibrating the potential adverse impact of risks taken (General American – Funding Agreements, AIG – Credit Default Swaps)
  • Overestimating the company’s tolerance for risk, and underestimating stakeholders’ reactions to outsized risk exposures
  • Weakened capital
  • Suppressed earnings
  • Asset-related issues: Erosion of principal, poor returns, constrained liquidity

6) Decision making culture and processes producing poor choices

  • Inwardly focused decision making, placing greater value on what has been created internally than on what others (externally) have done, either individually or collectively, potentially missing out on higher-order thinking generated by groups and on critical perspectives of others
  • Not recognizing dislocations, changed paradigms and fundamentals; slow and cautious reactions to new information
  • Getting bad advice (including faulty research) or no advice (not realizing when they are at an information disadvantage), and not differentiating between helpful and harmful experts ahead of time
  • Defensive attitude: Arrogance, cowardice, lack of openness to other ideas
  • Ineffective problem solving
  • Working only on problems that seemingly can be solved and avoiding those that appear difficult to solve
  • Not admitting mistakes or misassumptions, tending to blame others for poor results as opposed to studying the causes for their own mistakes and fixing them.
  • Not making corrections decisively, or overreacting
  • Penalizing (punishing) associates for raising troublesome issues (Many companies!)
  • Following the herd


  • There probably isn’t a single attribute leading to company underperformance that couldn’t be successfully addressed if the company was so inclined.
  • It is instructive to note that the causes leading to underperformance are not the ‘opposites’ of the attributes of successful companies. Every company strives to be successful, but unfortunately many haven’t realized their aspirations.

Michael A. Cohen, Principal of Cohen Strategic Consulting

Risk Culture gets the Blame

Posted March 18, 2014 by riskviews
Categories: Cultural Theory of Risk, Enterprise Risk Management, Risk Culture

Tags: ,

Poor Risk Culture has been often blamed for some of the headline corporate failures of the past several years.  Regulators and rating agencies have spoken out about what they would suggest as important elements of a strong risk culture and the following 10 elements all show up on more than one of those lists:

1.      Risk Governance – involvement of the board in risk management

2.      Risk Appetite – clear statement of the risk that the organization would be willing to accept

3.      Compensation – incentive compensation does not conflict with goals of risk management

4.      Tone at the Top – board and top management are publically vocal in support of risk management

5.      Accountability – Individuals are held accountable for violations of risk limits

6.      Challenge – it is acceptable to publically disagree with risk assessments

7.      Risk Organization – individuals are assigned specific roles to facilitate the risk management program, including a lead risk officer

8.      Broad communication /participation in RM – risk management is everyone’s job and everyone knows what is happening

9.      RM Linked to strategy – risk management program is consistent with company strategy and planning considers risk information

10.    Separate Measurement and Management of risk – no one assesses their own performance regarding risk and risk management

Those are all good things for a firm to do to make it more likely for their risk management to succeed, but this list hardly makes up a Risk Culture.


The latest WillisWire post in the ERM Practices series talks about Risk Culture from the perspective of the fundamental beliefs of the people in the organization about risk.

And RISKVIEWS has made over 50 posts about various aspects of risk culture.

Risk Culture Posts in RISKVIEWS

What if there are no clocks?

Posted March 17, 2014 by riskviews
Categories: Enterprise Risk Management, Risk Culture

Tags: ,

RISKVIEWS recently told someone that the idea of a Risk Control Cycle was quite simple.  In fact, it is just as simple as making an appointment and keeping it.

But what if you are in a culture that has no clocks?


Imagine how difficult the conversation might be about an appointment for 9:25 tomorrow morning.

That is the situation for companies who want to learn about adopting a risk control cycle who have no tradition of measuring risk.

The companies who have dutifully followed a regulatory imperative to install a capital model may think that they have a risk measurement system.  But that system is like a clock that they only look at once per month.  Not very helpful for making and keeping appointments.

Risk control needs to be done with risk measures that are available frequently.  That probably will mean that the risk measure that is most useful for risk control might not be as spectacularly accurate as a capital model.  The risk control process needs a quick measure of risk that can be available every week or at least every month.  Information at the speed of your business decision making process.

But none of us are really in a culture where there are no clocks.  Instead, we are in cultures where we choose not to put any clocks up on the walls.  We choose not to set times for our appointments.

I found that if you have a goal, that you might not reach it. But if you don’t have one, then you are never disappointed. And I gotta tell ya… it feels phenomenal.

from the movie Dodgeball

Are you Hungry for More Risk?

Posted March 4, 2014 by riskviews
Categories: Enterprise Risk Management

Best risk management practice is that you declare your hunger before you taste the food.  You can look at the menu and you can see the food, but you need to declare your appetite in advance of eating.  Not necessarily in advance of ordering.

Setting you appetite in advance and sticking to it will prevent you from gorging on too much risk that tastes good but will likely make you sick.

This week, WillisWire blog features an essay about Risk Appetite:

Guide to ERM: Risk Appetite and Tolerance

RISKVIEWS has featured several posts on Risk Appetite:

And here are a couple of published articles:

Help Wanted: Risk Tolerance

Not Such Foreign Concepts



Who should do ERM?

Posted February 25, 2014 by riskviews
Categories: Enterprise Risk Management

Tags: ,


Get every new post delivered to your Inbox.

Join 553 other followers

%d bloggers like this: